Alejandro Napoles

Ghost with HTTPS

April 18th, 2016

After I configured HTTPS on the server and deployed the Ghost blog, I started receiving mixed content errors on the blog. These errors were caused by Ghost serving subresources with HTTP content, therefore weakening the security of the entire page:

As these requests are vulnerable to man-in-the-middle attacks, where an attacker eavesdrops on a network connection and views or modifies the communication between two parties. Using these resources, an attacker can often take complete control over the page, not just the compromised resource.

Initially I thought the only thing I needed to do was changing the url in the Ghost config file, as this guide recommended, to make it use the HTTPS one. But it didn’t fixed the errors.

Reading more into the official documentation I found that I needed to add the urlSSL parameter to the config file. It is also necessary to use the forceAdminSSL parameter, this allows us to force SSL for the administration interface:

urlSSL: "https://alejandronapoles.com",
forceAdminSSL: true

Alejandro Napoles

Written by Alejandro Napoles. Web developer. Twitter Github

Creative Commons Licence
alejandro napoles dot com byAlejandro Napoles is licensed under aCreative Commons Attribution - ShareAlike 4.0 International License